Avaya One-X Mobile implementation for Android and iPhone

Frank McCourryV.P. Holland Computers, Inc.
Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and solution. Your mileage may vary depending on the resources available to you.

In this article;
I assume you are familiar with Avaya IP Office Systems, IP Addressing, DNS and TCP/IP ports, and Port forwarding. If this is not the case, do this first. Nothing I say will make sense until you have a grasp of the basics.
Internal means the local network.
External means the Internet or anything on or beyond the public (or outside) interface of the NAT firewall
IPO means the Avaya IP Office system unit
FQDN means Fully Qualified Domain Name

If you only have one Internet connection, you can put a switch between the ISP and your router. You will have to obtain a second IP address from your ISP for the IPO. It is also possible to use a router with multiple interfaces to accomplish this.

All IP addresses and domain names are fictitious and any resemblance to anyone's network is purely coincidental

First, the specs. We are implementing One-X version 9.0.0 with an Avaya IPO 500. Our network is behind a NAT firewall built in a Cisco 3600 series router. I will not go into the setup and installation of the One-X Server or the IPO, other than the specific issues regarding this implementation. The Documentation for this is actually pretty good with the exception that the documentation is somewhat vague in how it refers to either the One-X server or the IPO. They are both referred to as "server" in the documentation, which leads to some of the confusion I will try to clear up here.

The following diagram will help explain the setup. It is referenced throughout this article:

in this article;
Internal means the local network.
External means the Internet or anything on or beyond the public (or outside) interface of the NAT firewall
All IP addresses and domain names are fictitious and any resemblance to anyone's network is purely coincidental

Notice that we are using a "Split DNS" configuration which simply means that we have DNS records for domain.com on our internal DNS server(s) as well as external DNS server(s). The Internal DNS Server has the records that point the Fully Qualified Domain Name (FQDN) of each server to the internal IP addresses and the External does the same with the external IP addresses. It is important that these names and addresses be established before doing any configuration of the IPO or the One-X Server.

In our example the following DNS records were created;
Internal DNS Server 'A' Records
ipo.domain.com =
one-x.domain.com =
External DNS Server 'A' Records
ipo.domain.com =
one-x.domain.com =

Configure your NAT Firewall:

Your firewall configuration will vary between makes and models of firewalls. I cannot, in an article like this explain every method to create these port forwarding rules. Read your firewall documentation and follow their procedures to ensure that the following TCP ports are all forwarded to your One-X Server:
TCP 5222
TCP 5269
TCP 8080
TCP 8444
There is no need to forward any of the ports needed for the IPO since it will be using it's own Internet connection.

Once our DNS records are all created properly and our NAT firewall port forwards are completed, we can use this information to get our One-X and IPO configurations completed.

One-X Server:
The One-X installation is pretty straight forward. Follow the installation instructions given in the documentation. While the documentation tells you to populate the XMPP domain name on the server, it does not clarify if this is the One-X server or the IPO. The XMPP domain name is the name of your One-X server. In this case: one-x.domain.com. Do not use an IP address here.

Log on to the One-X portal administration and navigate to Configuration->IM/Presence Server. Then populate the XMPP domain Name with 'one-x.domain.com':
That's it for the One-X Server now on to the confusing arena of the IPO....

Configuring the IPO takes a bit of planing and a good understanding of IP routing. In our case, we are going to use the LAN1 interface for the internal network and the LAN2 interface for the external network. The Lan2 Interface is connected to the public Internet without a firewall or NAT device. for this reason, I HIGHLY recommend that your first change the Administrator password.

Log on to your IPO and go to the System Menu, then:
Lets configure the LAN1 Interface First:
Lan Settings Tab:
Set your IP Address and IP Mask.  In our case
Set the Primary Trans. IP address to your Gateway address for your network. In our case  (This is not always your gateway address, which is why it is not named as such.  Read the Avaya IPO help for a better explanation of this setting)
Choose a RIP Mode, this will help the IPO build its routing tables by obtaining this information from other routers. Make sure this mode matches your Internet router.

Use the image below and replicate the settings
Ensure that SIP Remote Extn Enable is unchecked. This can only be checked on the Lan1 Or Lan2 Interface. since we will be using it on Lan2, it must be disabled here.
Notice the domain name. This is the ipo.domain.com in our example. Again this is where the documentation gets vague.

Network Topology Tab:
Simply change the Firewall/NAT Type to Open Internet everything else should be left at defaults.

Diagram4Now, LAN2:
LAN Setting Tab
Set the External IP Address of the IPO.  In our case
Set the IP Mask, your ISP will tell you what this is.  Ours is
Leave the Primary Trans. IP Address set at
Set the Firewall profile to  <None>.  You can build an apply a firewall profile to use here, but it's not necessary as all traffic is encrypted anyway, and you did set a strong Administrator password, right? (If you do choose to build a firewall, make sure you open all of the ports listed on the VOIP Tab.
Set the RIP Mode, RIP1 usually works with most ISP's

Just match up with the image below

Network Topology Tab

Stun Server Address is not important, in this scenario and is ignored because of the Firwall/NAT Setting.  Read the IPO help to understand why.
Firewall/NAT Type is set to Open Internet.  You did remember to reset that Administrator password, right?
Public IP address is the same address you gave on the LAN Settings Tab In our case
Populate the UDP port with 5060
Populate the TCP Port with 5060
Populate the TLS port with 5061 - Certificate setup is not important because iPhone will not use TLS and Android simply ignores certificate errors. (which is a good argument for using an Android)

Diagram6Next, we configure IP Routes:
For this config we will need to add 2 routes under the IP Route Menu
The First Route is for a default Gateway.  We want this to be the WAN interface on the IPO
IP Address =;
IP Mask =
Gateway IP Address =
Destination = LAN2

The Second Route is to tel the IPO where the local network is.  (For the life of me, I cannot figure out why this is necessary, but it works)
IP Address =
IP Mask =
Gateway IP Address -= This is the IP address of the LAN Interface, not your firewall/router!

Destination = LAN1

Avaya One-X Mobile IPO Application

The Server ID is the FQDN of your One-X server.  Ours is one-x.domain.com your user name and password are the same as configured in the IPO user menu.

Now, as long as you have all of the proper licensing, your should see the Avaya One-X Mobile Application show fully connected and ready to go!

This is a repost of my original article which can be found here: http://www.xpertnotes.net/ipo_onex_on_wan/
Frank McCourryV.P. Holland Computers, Inc.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.